NIS Network Information Security
NIS is an EU directive to increase the security of network and information systems. This EU directive has been in force since 2016 and had to be implemented in local law by the member states.
The Network and Information Security Directive (NIS Directive), which entered into force in 2016, was the first EU legislation to improve cybersecurity in the Member States. It laid the foundation for a coordinated approach to network and information security in the European Union.
NIS2 Network Information Security
The NIS2 Directive (Directive on measures to ensure a high common level of cybersecurity in the Union) is a further development of the original NIS Directive (Network and Information Security Directive) of the European Union, which entered into force in 2016. The NIS2 Directive was published on 27 December 2022 and is intended to strengthen cybersecurity in the EU and adapt it to the changing threat situation.
The key points of the NIS2 Directive are as follows:
Extended scope
The NIS2 directive extends the scope of application to a larger number of sectors and companies that are considered to be ‘essential’ or ‘critical’ services. In addition to the sectors that were already covered by the NIS directive (e.g. energy, transport, water, health), new sectors are also included, such as
- Water supply and waste water disposal
- Digital Infrastructure (e.g. DNS-providers, data centres)
- Public administration
- Space travel
- Food production
Inclusion of medium and large companies Medium and large companies in the affected sectors are now obliged to fulfil the requirements of the NIS2 Directive.
Harmonisation of cyber security requirements
The directive sets out harmonised cyber security requirements that must be met by all affected companies and organisations. These include technical and organisational measures such as
- the introduction and implemenation of a cybersecurity risk management system.
- Requirements for incident response, including reporting obligations.
- Regular reviews and audits of cyber security measures.
Companies must report security incidents that have a significant impact on the provision of their services within strict deadlines. This applies to incidents that affect the confidentiality, integrity and availability of networks and information systems.
Tighter monitoring and enforcement
The NIS2 Directive strengthens the supervisory and enforcement powers of national authorities. This includes the ability to hold companies accountable, impose penalties and enforce sanctions where appropriate.
Consistent enforcement across the EU: Measures will be introduced to harmonise enforcement across the EU to ensure that the directive is applied consistently in all member states.
Enhanced cooperation and information sharing
Cooperation between Member States: The Directive promotes increased cooperation and information sharing between Member States. This includes joint actions to combat cross-border cyber threats.
CSIRT network: The role of the Computer Security Incident Response Team (CSIRT) network is strengthened to improve coordination and information sharing between Member States.
Management responsibility
Management responsibility: The directive explicitly states that the top management of a company (i.e. the board of directors or management) is responsible for compliance with the cybersecurity requirements. This includes the obligation to regularly inform themselves about cybersecurity risks and measures and to make appropriate decisions.
Tougher sanctions
Penalties and fines: The NIS2 Directive provides for tougher penalties for non-compliance with cybersecurity requirements, including significant fines. The amount of the fines can vary depending on the severity of the offence and is intended to have a deterrent effect.
Resilience and supply chains
The Directive emphasises the need to increase the resilience of networks and information systems, especially in view of the increasing dependence on digital technologies.
Organisations must also assess and manage the cyber security risks in their supply chains and with third-party providers, which means an extended responsibility for security beyond their own systems.
Transitional periods and implementation obligations
Member States must transpose the directive into national law by October 2024. Companies will then have a certain amount of time to fulfil the new requirements.
EU NIS Directive
DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 on measures to ensure a high common level of security of network and information systems in the Union
NIS point of contact in the EU
The European Union Agency for Cybersecurity
https://www.enisa.europa.eu/about-enisa/about/de
Implementation in Austria
In Austria, the implementation was carried out via the Network and Information Systems Security Act (NISG)
Federal Act on the Assurance of a High Level of Security of Network and Information Systems (Network and Information Systems Security Act – NISG) StF: BGBl. I Nr. 11 1/2018 (NR: GP XXVI RV 369 AB 418 S. 53. BR: AB 10099 S. 887.) [CELEX-Nr.: 32016L1148]
Austria Contact point
Contact point for the Network and Information Systems Security Act (NISG)
https://www.nis.gv.at/
Implementation in Germany
Act on the Implementation of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of network and information systems in the Union1, of 23 June 2017
Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0), of 18 May 2021
BSI Act of 14 August 2009 (Federal Law Gazette I p. 2821), last amended by Article 12 of the Act of 23 June 2021 (Federal Law Gazette I p. 1982).
Ordinance on the identification of critical infrastructures under the BSI Act (BSI-Kritisverordnung - BSI-KritisV), last amended by Article 1 No. 8 of the Act of 17 July 2015 (BGBl. I p. 1324)
Germany Contact point
Federal Office for Information Security (BSI)
https://www.bsi.bund.de/DE/Home/home_node.html
